mDNS over VPN
mDNS accross VLANs works for me, however, when I join the same subnetwork from my VPN (WireGuard), it doesn't. I can still access resources through their IP.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
VPN and mDNS are two different concepts. They have no correlation.
mDNS is a local network discovery protocol aiming to resolve the address resolution between the VLANs. While the VPN tunnel is encrypted and routed differently from the routing table.
- Copy Link
- Report Inappropriate Content
same question on my side.... any ideas? I want to get the AirPrinters to work via my iPhone is connected to my WireGuard.
- Copy Link
- Report Inappropriate Content
VPN and mDNS are two different concepts. They have no correlation.
mDNS is a local network discovery protocol aiming to resolve the address resolution between the VLANs. While the VPN tunnel is encrypted and routed differently from the routing table.
- Copy Link
- Report Inappropriate Content
@Clive_A it took seven months to be served with nonsense and as a customer my issue still isn't solved. I have a Bonjour gateway bridging mdns for my different VLANs including the VPN subnet.
I asked ChatGPT to point out what is wrong with your answer:
Here’s a breakdown of issues with each assertion:
1. “VPN and mDNS are two different concepts. They have no correlation.”
• Incomplete Understanding of Use Cases: While VPN and mDNS serve different primary purposes (secure connectivity for VPN vs. local network discovery for mDNS), the statement that they “have no correlation” may overlook practical scenarios where they intersect. For instance, many users want mDNS (used for discovering services like printers or media devices) to work over VPNs so they can access local network devices remotely.
• Oversimplification: VPNs can impact mDNS functionality because VPNs typically create a distinct network environment, which may disrupt local mDNS-based service discovery across networks. Techniques like split tunneling or specific VPN configurations are often used to bridge these environments. Saying they have “no correlation” ignores this potential relationship.
2. “mDNS is a local network discovery protocol aiming to resolve the address resolution between the VLANs.”
• Misleading Description of mDNS Function: mDNS (Multicast DNS) operates primarily within a single local network segment (broadcast domain). It’s designed to allow devices to discover each other within a local subnet without needing a traditional DNS server. However, mDNS does not inherently aim to work between VLANs, as VLANs usually segment traffic, requiring additional configurations (like mDNS relays or gateways) to enable mDNS communication across VLANs.
• Ambiguity on Purpose: The phrase “resolve the address resolution” is redundant and unclear. mDNS essentially provides name resolution by associating local IP addresses with hostnames for devices on a network segment, not between VLANs unless additional network adjustments are made.
3. “While the VPN tunnel is encrypted and routed differently from the routing table.”
• Misunderstanding of Routing: VPN tunnels indeed encrypt traffic and often use separate routing mechanisms; however, saying they’re “routed differently from the routing table” is misleading. VPNs actually do work with routing tables but may have their own entries to specify how traffic should flow through the tunnel. A VPN client typically adds routes to the device’s routing table to direct traffic through the tunnel.
• Unclear Explanation of Encryption Role: The statement does not clarify how encryption differentiates VPNs from protocols like mDNS. While encryption is a core feature of VPNs, mDNS lacks this feature as it wasn’t designed for secure remote access but for local discovery, which could have been explicitly noted.
In summary, each statement could benefit from clarification on the purposes, functionalities, and potential points of intersection between VPNs and mDNS, as well as more precise language.
- Copy Link
- Report Inappropriate Content
mtl_squirrel wrote
@Clive_A it took seven months to be served with nonsense and as a customer my issue still isn't solved. I have a Bonjour gateway bridging mdns for my different VLANs including the VPN subnet.
I asked ChatGPT to point out what is wrong with your answer:
Here’s a breakdown of issues with each assertion:
1. “VPN and mDNS are two different concepts. They have no correlation.”
• Incomplete Understanding of Use Cases: While VPN and mDNS serve different primary purposes (secure connectivity for VPN vs. local network discovery for mDNS), the statement that they “have no correlation” may overlook practical scenarios where they intersect. For instance, many users want mDNS (used for discovering services like printers or media devices) to work over VPNs so they can access local network devices remotely.
• Oversimplification: VPNs can impact mDNS functionality because VPNs typically create a distinct network environment, which may disrupt local mDNS-based service discovery across networks. Techniques like split tunneling or specific VPN configurations are often used to bridge these environments. Saying they have “no correlation” ignores this potential relationship.
2. “mDNS is a local network discovery protocol aiming to resolve the address resolution between the VLANs.”
• Misleading Description of mDNS Function: mDNS (Multicast DNS) operates primarily within a single local network segment (broadcast domain). It’s designed to allow devices to discover each other within a local subnet without needing a traditional DNS server. However, mDNS does not inherently aim to work between VLANs, as VLANs usually segment traffic, requiring additional configurations (like mDNS relays or gateways) to enable mDNS communication across VLANs.
• Ambiguity on Purpose: The phrase “resolve the address resolution” is redundant and unclear. mDNS essentially provides name resolution by associating local IP addresses with hostnames for devices on a network segment, not between VLANs unless additional network adjustments are made.
3. “While the VPN tunnel is encrypted and routed differently from the routing table.”
• Misunderstanding of Routing: VPN tunnels indeed encrypt traffic and often use separate routing mechanisms; however, saying they’re “routed differently from the routing table” is misleading. VPNs actually do work with routing tables but may have their own entries to specify how traffic should flow through the tunnel. A VPN client typically adds routes to the device’s routing table to direct traffic through the tunnel.
• Unclear Explanation of Encryption Role: The statement does not clarify how encryption differentiates VPNs from protocols like mDNS. While encryption is a core feature of VPNs, mDNS lacks this feature as it wasn’t designed for secure remote access but for local discovery, which could have been explicitly noted.
In summary, each statement could benefit from clarification on the purposes, functionalities, and potential points of intersection between VPNs and mDNS, as well as more precise language.
Interesting enough. Guess why I did not reply in the first place? It makes no sense to me as the question is not correct. It misunderstands the situation.
I thought I just replied to this to answer the reason so others can read it and understand the context.
If you really count on the GPT to get everything answered without bearing some basic knowledge and take it as correct in every response, then good luck to you.
Some parts cannot be reasoned and contradict themselves. Look into how it responds to you?
I am not sage or correct in every aspect but feel sorry about my poor knowledge and GPT should take my place if this misleading GPT response convinces you.
As a man who favors new tech and stuff, it is LOL to see that you fully believe what it says. I am not an anti-AI guy but you should know that GPT does not mean everything. And it is easy to poison the model and get the answer you want by asking with specific prompts.
You should paste this with your prompts along with it. I guess you gave the negative undertone to the GPT and it gave you this reply to argue. GPT is a good flatter. And depends on what model you use. Try a positive undertone and with the same thing, it'd only confuse you.
P.S.
I ACTUALLY don't have to respond to every single question on the forum. I did not specifically reply to you by laying out the context. You seem to take it for granted and disgraced me by I replied with nonsense. Some need to be explained, some are self-evident.
- Copy Link
- Report Inappropriate Content
@Clive_A hi Clive, I apologize for letting my frustration transpire.
I used AI to save myself from doing the explaining. I reviewed the AI-generated answer before sharing it - the prompt read "Criticize these assertions: [your post]".
mdns works within subnets, and across subnets using mdns bridges (e.g., Bonjour/Avahi). I use such a bridge as supplied in the Omada suite of products, which allows mdns multicast to be propagated to other subnets.
I suspect my issue lies with multicast propagation as mdns will work over OpenVPN tap connections (which operate at layer 1 of the OSI model, allowing multicast through).
Think of VPN being a tunnel while the local networks are roads. Mdns packets are trafic that runs fine on roads but are not able to travel though the tunnel.
- Copy Link
- Report Inappropriate Content
mtl_squirrel wrote
@Clive_A hi Clive, I apologize for letting my frustration transpire.
I used AI to save myself from doing the explaining. I reviewed the AI-generated answer before sharing it - the prompt read "Criticize these assertions: [your post]".
mdns works within subnets, and across subnets using mdns bridges (e.g., Bonjour/Avahi). I use such a bridge as supplied in the Omada suite of products, which allows mdns multicast to be propagated to other subnets.
I suspect my issue lies with multicast propagation as mdns will work over OpenVPN tap connections (which operate at layer 1 of the OSI model, allowing multicast through).
Think of VPN being a tunnel while the local networks are roads. Mdns packets are trafic that runs fine on roads but are not able to travel though the tunnel.
Let's move on. Forget about the AI thing and the disagreement regarding the comment.
We come to the same place now. I think we read the same posts online with the keywords "mDNS & VPN". We might come across the same post that I read you could achieve that by Avachi. But I don't think we natively support it. That's the problem.
A third-party service supporting the multicast is something else. It is also beyond our dev's ability because you are building up an Avachi server. We cannot integrate that many servers to support just a single feature in the firmware as we still expand and add more services. And it's also not a job for a router.
Usually, if it is layer 2-based, we recommend you consider the GRE as it supports L2 cast. You can try that out. The rest of the VPN is based on L3.
- Copy Link
- Report Inappropriate Content
@mtl_squirrel are you trying to achieve printing via wireguard? I also read the same things on reddit regarding an avahi server... https://www.reddit.com/r/networking/comments/53kh6h/mdns_bonjour_gateway/ but reading other posts on reddit, on apple side we need to configure more and in my example, add the printers via IP. To achieve this you need to enroll some enterprise roles via an mdm server into your iphone for example. Only using the Bonjour Gateway-Feature on Omada Side isnt enough... sadly.
see also: https://www.reddit.com/r/OPNsenseFirewall/comments/p079rh/using_airprint_over_wireguard_vpn_help/
- Copy Link
- Report Inappropriate Content
@marcwa122 Hi Marc! Not specifically printing, but more generally ensure mdns packets are propagated over WireGuard. Its been I while since I researched this (my post is from March), so I don't recall exactly which sources I consulted. That said, since Omada already offers rules to allow mdns to cross to other subnets, I believe the only issue remaining is that WireGuard doesn't support multicast. So my last-ditch attempt will be to enable multicast-to-unicast conversion for the subnets and see if that fixes it. If not, I'll probably go back to running my own DNS server and add a few local entries manually.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 644
Replies: 8
Voters 0
No one has voted for it yet.